[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jun 2 10:33:13 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4f4e964f by Moritz Muehlenhoff at 2025-06-02T11:32:52+02:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2371,6 +2371,7 @@ CVE-2025-4998 (A vulnerability has been found in H3C Magic R200G up to 100R002 a
CVE-2025-4969 (A vulnerability was found in the libsoup package. This flaw stems from ...)
- libsoup3 <unfixed> (bug #1106248)
- libsoup2.4 <unfixed> (bug #1106325)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467
CVE-2025-4949 (In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestP ...)
@@ -2997,11 +2998,13 @@ CVE-2024-5878 (Multiple plugins for WordPress are vulnerable to Stored Cross-Sit
CVE-2025-4948 (A flaw was found in the soup_multipart_new_from_message() function of ...)
- libsoup3 <unfixed> (bug #1106204)
- libsoup2.4 <unfixed> (bug #1106337)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
CVE-2025-4945 (A flaw was found in the cookie parsing logic of the libsoup HTTP libra ...)
- libsoup3 <unfixed> (bug #1106205)
- libsoup2.4 <unfixed> (bug #1106375)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
CVE-2025-4941 (A vulnerability, which was classified as critical, was found in PHPGur ...)
NOT-FOR-US: PHPGurukul
@@ -10856,6 +10859,7 @@ CVE-2024-10635 (Enterprise Protection contains an improper input validation vuln
CVE-2025-4035 (A flaw was found in libsoup. When handling cookies, libsoup clients mi ...)
- libsoup3 <unfixed> (bug #1104414)
- libsoup2.4 <unfixed> (bug #1104415)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2362651
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/443
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/448
@@ -15266,6 +15270,7 @@ CVE-2025-32908 (A flaw was found in libsoup. The HTTP/2 server in libsoup may no
CVE-2025-32907 (A flaw was found in libsoup. The implementation of HTTP range requests ...)
- libsoup3 <unfixed> (bug #1103264)
- libsoup2.4 <unfixed> (bug #1103518)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/428
NOTE: See also https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452
NOTE: Upstream also claims there are multiple worse DoS problems, so questions the usefulness of this fix.
@@ -15273,6 +15278,7 @@ CVE-2025-32906 (A flaw was found in libsoup, where the soup_headers_parse_reques
{DLA-4140-1}
- libsoup3 3.6.5-1
- libsoup2.4 2.74.3-10.1 (bug #1103521)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/404
NOTE: Same underlying issue as https://gitlab.gnome.org/GNOME/libsoup/-/issues/407
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/440
@@ -18277,6 +18283,7 @@ CVE-2025-32052 (A flaw was found in libsoup. A vulnerability in the sniff_unknow
{DLA-4140-1}
- libsoup3 3.6.1-1
- libsoup2.4 2.74.3-10 (bug #1102214)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652 (3.6.1)
CVE-2025-32051 (A flaw was found in libsoup. The libsoup soup_uri_decode_data_uri() fu ...)
@@ -18290,11 +18297,13 @@ CVE-2025-32050 (A flaw was found in libsoup. The libsoup append_param_quoted() f
{DLA-4140-1}
- libsoup3 3.6.1-1
- libsoup2.4 2.74.3-10 (bug #1102212)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323 (3.6.1)
CVE-2025-32049 (A flaw was found in libsoup. The SoupWebsocketConnection may accept a ...)
- libsoup3 <unfixed> (bug #1102067)
- libsoup2.4 <unfixed> (bug #1102211)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408
NOTE: Proposed fix adds an option with the default retaining old behaviour:
@@ -18573,6 +18582,7 @@ CVE-2025-2784 (A flaw was found in libsoup. The package is vulnerable to a heap
{DLA-4140-1}
- libsoup3 3.6.5-1
- libsoup2.4 2.74.3-10 (bug #1102208)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d (3.6.5)
NOTE: Depends on: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435
@@ -18581,6 +18591,7 @@ CVE-2025-32053 (A flaw was found in libsoup. A vulnerability in sniff_feed_or_ht
{DLA-4140-1}
- libsoup3 3.6.1-1
- libsoup2.4 2.74.3-10 (bug #1102215)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/426
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a (3.6.1)
NOTE: Fix for CVE-2025-32053 potentially introduces CVE-2025-2784
@@ -25624,6 +25635,7 @@ CVE-2024-8176 (A stack overflow vulnerability exists in the libexpat library due
[bookworm] - expat <ignored> (Minor issue and too intrusive to backport)
[bullseye] - expat <ignored> (Minor issue and too intrusive to backport)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://blog.hartwork.org/posts/expat-2-7-0-released/
NOTE: https://github.com/libexpat/libexpat/issues/893
NOTE: https://github.com/libexpat/libexpat/pull/973
@@ -68849,6 +68861,7 @@ CVE-2024-50602 (An issue was discovered in libexpat before 2.6.4. There is a cra
- expat 2.6.3-2 (bug #1086134)
[bookworm] - expat <no-dsa> (Minor issue)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/915
NOTE: https://github.com/libexpat/libexpat/commit/51c7019069b862e88d94ed228659e70bddd5de09 (R_2_6_4)
NOTE: https://github.com/libexpat/libexpat/commit/5fb89e7b3afa1c314b34834fe729cd063f65a4d4 (R_2_6_4)
@@ -82815,6 +82828,7 @@ CVE-2024-45492 (An issue was discovered in libexpat before 2.6.3. nextScaffoldPa
{DSA-5770-1 DLA-3893-1}
- expat 2.6.2-2 (bug #1080152)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/892
NOTE: https://github.com/libexpat/libexpat/issues/889
NOTE: https://github.com/libexpat/libexpat/commit/29ef43a0bab633b41e71dd6d900fff5f6b3ad5e4 (R_2_6_3)
@@ -82822,6 +82836,7 @@ CVE-2024-45491 (An issue was discovered in libexpat before 2.6.3. dtdCopy in xml
{DSA-5770-1 DLA-3893-1}
- expat 2.6.2-2 (bug #1080150)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/891
NOTE: https://github.com/libexpat/libexpat/issues/888
NOTE: https://github.com/libexpat/libexpat/commit/b8a7dca4670973347892cfc452b24d9001dcd6f5 (R_2_6_3)
@@ -82829,6 +82844,7 @@ CVE-2024-45490 (An issue was discovered in libexpat before 2.6.3. xmlparse.c doe
{DSA-5770-1 DLA-3893-1}
- expat 2.6.2-2 (bug #1080149)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/890
NOTE: https://github.com/libexpat/libexpat/issues/887
NOTE: https://github.com/libexpat/libexpat/commit/e5d6bf015ee531df0a8751baa618d25b2de73a7c (R_2_6_3)
@@ -135482,6 +135498,7 @@ CVE-2024-27698
CVE-2024-28757 (libexpat through 2.6.1 allows an XML Entity Expansion attack when ther ...)
- expat 2.6.1-2 (bug #1065868; unimportant)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/842
NOTE: https://github.com/libexpat/libexpat/issues/839
NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
@@ -144272,6 +144289,7 @@ CVE-2023-6240 (A Marvin vulnerability side-channel leakage was found in the RSA
CVE-2023-52426 (libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DT ...)
- expat 2.6.0-1 (bug #1063240; unimportant)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/777
NOTE: https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404
NOTE: https://github.com/libexpat/libexpat/pull/777#issuecomment-1965172301
@@ -144280,8 +144298,9 @@ CVE-2023-52426 (libexpat through 2.5.0 allows recursive XML Entity Expansion if
CVE-2023-52425 (libexpat through 2.5.0 allows a denial of service (resource consumptio ...)
{DLA-3893-1 DLA-3783-1}
- expat 2.6.0-1 (bug #1063238)
- - libxmltok <removed>
[bookworm] - expat <no-dsa> (Minor issue; can be fixed via point release)
+ - libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/789
NOTE: Merge commit: https://github.com/libexpat/libexpat/commit/34b598c5f594b015c513c73f06e7ced3323edbf1
CVE-2020-36773 (Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-a ...)
@@ -232259,6 +232278,7 @@ CVE-2022-43680 (In libexpat through 2.4.9, there is a use-after free caused by o
{DSA-5266-1 DLA-3165-1}
- expat 2.5.0-1 (bug #1022743)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/issues/649
NOTE: https://github.com/libexpat/libexpat/pull/616
NOTE: https://github.com/libexpat/libexpat/pull/650
@@ -240769,6 +240789,7 @@ CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent func
{DSA-5236-1 DLA-3119-1}
- expat 2.4.8-2 (bug #1019761)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/629
NOTE: https://github.com/libexpat/libexpat/pull/640
NOTE: https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b
@@ -284371,12 +284392,14 @@ CVE-2022-25315 (In Expat (aka libexpat) before 2.4.5, there is an integer overfl
{DSA-5085-1 DLA-2935-1}
- expat 2.4.5-1
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/559
NOTE: https://github.com/libexpat/libexpat/commit/eb0362808b4f9f1e2345a0cf203b8cc196d776d9
CVE-2022-25314 (In Expat (aka libexpat) before 2.4.5, there is an integer overflow in ...)
{DSA-5085-1}
- expat 2.4.5-1
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
[stretch] - expat <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/libexpat/libexpat/pull/560
NOTE: https://github.com/libexpat/libexpat/commit/efcb347440ade24b9f1054671e6bd05e60b4cafd
@@ -284384,6 +284407,7 @@ CVE-2022-25313 (In Expat (aka libexpat) before 2.4.5, an attacker can trigger st
{DSA-5085-1 DLA-2935-1}
- expat 2.4.5-1
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/558
NOTE: https://github.com/libexpat/libexpat/commit/9b4ce651b26557f16103c3a366c91934ecd439ab
CVE-2022-25311 (A vulnerability has been identified in SINEC NMS (All versions >= V1.0 ...)
@@ -284736,6 +284760,7 @@ CVE-2022-25236 (xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers
{DSA-5085-1 DLA-2935-1}
- expat 2.4.5-1 (bug #1005895)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/561
NOTE: https://github.com/libexpat/libexpat/commit/6881a4fc8596307ab9ff2e85e605afa2e413ab71
NOTE: https://github.com/libexpat/libexpat/commit/a2fe525e660badd64b6c557c2b1ec26ddc07f6e4
@@ -284749,6 +284774,7 @@ CVE-2022-25235 (xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain
{DSA-5085-1 DLA-2935-1}
- expat 2.4.5-1 (bug #1005894)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/562
NOTE: https://github.com/libexpat/libexpat/commit/ee2a5b50e7d1940ba8745715b62ceb9efd3a96da
NOTE: https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6
@@ -289027,6 +289053,7 @@ CVE-2022-23990 (Expat (aka libexpat) before 2.4.4 has an integer overflow in the
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-3
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/551
NOTE: Introduced with: https://github.com/libexpat/libexpat/commit/cb8a4c756d057b948c1b41e7185dd69ef3ade3fb (R_1_95_4)
NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/ede41d1e186ed2aba88a06e84cac839b770af3a1 (R_2_4_4)
@@ -289808,6 +289835,7 @@ CVE-2022-23852 (Expat (aka libexpat) before 2.4.4 has a signed integer overflow
{DSA-5073-1 DLA-2935-1 DLA-2904-1}
- expat 2.4.3-2
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/550
NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40 (R_2_4_4)
NOTE: Tests: https://github.com/libexpat/libexpat/commit/acf956f14bf79a5e6383a969aaffec98bfbc2e44
@@ -293604,36 +293632,42 @@ CVE-2022-22827 (storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1 (bug #1003474)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/539
NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3)
CVE-2022-22826 (nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 ha ...)
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1 (bug #1003474)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/539
NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3)
CVE-2022-22825 (lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integ ...)
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1 (bug #1003474)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/539
NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3)
CVE-2022-22824 (defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has ...)
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1 (bug #1003474)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/539
NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3)
CVE-2022-22823 (build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an ...)
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1 (bug #1003474)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/539
NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3)
CVE-2022-22822 (addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an i ...)
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1 (bug #1003474)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/539
NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3)
CVE-2022-22821 (NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in wh ...)
@@ -294210,7 +294244,7 @@ CVE-2021-46143 (In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3,
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1
- libxmltok 1.2-4.2 (bug #1012179)
- [bookworm] - libxmltok <no-dsa> (Minor issue)
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/issues/532
NOTE: https://github.com/libexpat/libexpat/pull/538
NOTE: https://github.com/libexpat/libexpat/commit/85ae9a2d7d0e9358f356b33977b842df8ebaec2b (R_2_4_3)
@@ -295735,6 +295769,7 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor
{DSA-5073-1 DLA-2904-1}
- expat 2.4.3-1 (bug #1002994)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/issues/531
NOTE: https://github.com/libexpat/libexpat/pull/534
NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/0adcb34c49bee5b19bd29b16a578c510c23597ea (R_2_4_3)
@@ -460270,6 +460305,7 @@ CVE-2019-15903 (In libexpat before 2.2.8, crafted XML input could fool the parse
{DSA-4571-1 DSA-4549-1 DSA-4530-1 DLA-1997-1 DLA-1987-1 DLA-1912-1}
- expat 2.2.7-2 (bug #939394)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
- firefox 70.0-1
- firefox-esr 68.2.0esr-1
- chromium <not-affected> (uses system libexpat)
@@ -470897,6 +470933,7 @@ CVE-2018-20843 (In libexpat in Expat before 2.2.7, XML input including XML names
{DSA-4472-1 DLA-1839-1}
- expat 2.2.6-2 (bug #931031)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226
NOTE: https://github.com/libexpat/libexpat/issues/186
NOTE: https://github.com/libexpat/libexpat/pull/262
@@ -578571,8 +578608,8 @@ CVE-2017-11744 (In MODX Revolution 2.5.7, the "key" and "name" parameters in the
CVE-2017-11743 (MEDHOST Connex contains a hard-coded Mirth Connect admin credential th ...)
NOT-FOR-US: MEDHOST Connex
CVE-2017-11742 (The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat i ...)
- - expat <not-affected> (Windows specfic issue)
- - libxmltok <removed>
+ - expat <not-affected> (Windows specific issue)
+ - libxmltok <not-affected> (Windows-specific issue)
CVE-2017-11741 (HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) bef ...)
NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin
CVE-2017-11740 (In Zoho ManageEngine Application Manager 13.1 Build 13100, the adminis ...)
@@ -586329,6 +586366,7 @@ CVE-2017-9233 (XML External Entity vulnerability in libexpat 2.2.0 and earlier (
{DSA-3898-1 DLA-990-1}
- expat 2.2.1-1
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://libexpat.github.io/doc/cve-2017-9233/
NOTE: https://github.com/libexpat/libexpat/commit/c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
CVE-2017-9232 (Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a ...)
@@ -614708,6 +614746,7 @@ CVE-2016-9063 (An integer overflow during the parsing of XML using the Expat lib
- firefox-esr <not-affected> (Does not affect Firefox 45 ESR release)
- expat 2.2.0-2
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
[jessie] - expat 2.1.0-6+deb8u4
[wheezy] - expat <no-dsa> (Minor issue)
NOTE: Expat upstream fix: https://github.com/libexpat/libexpat/commit/d4f735b88d9932bd5039df2335eefdd0723dbe20
@@ -627297,6 +627336,7 @@ CVE-2016-5300 (The XML parser in Expat does not use sufficient entropy for hash
{DSA-3597-1 DLA-508-1}
- expat 2.1.1-3
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
CVE-2016-5244 (The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel t ...)
{DSA-3607-1 DLA-516-1}
- linux 4.6.2-1
@@ -630071,6 +630111,7 @@ CVE-2016-4472 (The overflow protection in Expat is removed by compilers with cer
{DSA-3582-1 DLA-483-1}
- expat 2.1.1-2
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/tree/expat/lib/xmlparse.c?diff=a238d7ea7a715ef3850c4cbdd86aeda7077b6bbc
CVE-2016-4471 (ManageIQ in CloudForms before 4.1 allows remote authenticated users to ...)
NOT-FOR-US: Red Hat CloudForms
@@ -642421,6 +642462,7 @@ CVE-2016-0718 (Expat allows context-dependent attackers to cause a denial of ser
{DSA-3582-1 DLA-483-1}
- expat 2.1.1-2
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
- firefox 48.0-1 (unimportant)
- firefox-esr <not-affected> (Doesn't affect Firefox ESR)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/
@@ -644751,6 +644793,7 @@ CVE-2012-6702 (Expat, when used in a parser that has not called XML_SetHashSalt
{DSA-3597-1 DLA-508-1}
- expat 2.1.1-3
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
CVE-2012-6701 (Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows l ...)
- linux <not-affected> (Fixed in v3.2.19; which was before src:linux rename)
- linux-2.6 3.2.19-1
@@ -665711,6 +665754,7 @@ CVE-2015-1283 (Multiple integer overflows in the XML_GetBuffer function in Expat
[squeeze] - chromium-browser <end-of-life>
- expat 2.1.0-7 (bug #793484)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: Patch: https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
CVE-2015-1282 (Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/Docu ...)
{DSA-3315-1}
@@ -713769,6 +713813,7 @@ CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities expansi
[experimental] - expat 2.4.1-1
- expat 2.4.1-2 (unimportant; bug #1001864)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat
NOTE: https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0340.html
NOTE: Fixed by: https://github.com/libexpat/libexpat/pull/466
@@ -728197,9 +728242,11 @@ CVE-2012-1148 (Memory leak in the poolGrow function in expat/lib/xmlparse.c in e
[squeeze] - xmlrpc-c <no-dsa> (Minor issue)
- expat 2.1.0~beta3-1 (bug #663579)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
CVE-2012-1147 (readfilemap.c in expat before 2.1.0 allows context-dependent attackers ...)
- expat <not-affected> (readfilemap.c is not used in *IX)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
CVE-2012-1146 (The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in t ...)
- linux-2.6 3.2.10-1 (low)
[squeeze] - linux-2.6 <not-affected> (Vulnerable code not present)
@@ -728878,6 +728925,7 @@ CVE-2012-0876 (The XML parser (xmlparse.c) in expat before 2.1.0 computes hash v
{DSA-2525-1}
- expat 2.1.0~beta3-1 (bug #663579)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
- xmlrpc-c 1.16.33-3.2 (low; bug #687672)
[squeeze] - xmlrpc-c <no-dsa> (Minor issue)
- python2.6 <not-affected> (configured with --with-system-expat since 2.6.6-4)
@@ -761651,6 +761699,7 @@ CVE-2009-3720 (The updatePosition function in lib/xmltok_impl.c in libexpat in E
{DSA-1977-1 DSA-1921-1}
- expat 2.0.1-5 (low; bug #551936)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
- mcabber 0.10.0-1 (low; bug #601053)
[lenny] - mcabber <no-dsa> (Minor issue)
- w3c-libwww <removed> (low; bug #551938)
@@ -762134,6 +762183,7 @@ CVE-2009-3560 (The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0
{DSA-1977-1 DSA-1953-2 DSA-1953-1}
- expat 2.0.1-6 (low; bug #560901)
- libxmltok <removed>
+ [bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
- mcabber 0.10.0-1 (low; bug #601053)
[lenny] - mcabber <no-dsa> (Minor issue)
- w3c-libwww <removed>
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f4e964fb7ea377fc8ec8130e5070cd8b52b10da
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f4e964fb7ea377fc8ec8130e5070cd8b52b10da
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250602/b4c58556/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list